Mainzelliste API (3.3.0)

Introduction

Mainzelliste provides a REST-based interface for the pseudonymization of personal data and management of consents to ensure privacy-compliant data processing. This interface supports the following use cases:

• First-level pseudonymization (IDAT → PID)
• Management of multiple pseudonyms (e.g., PSN, SIC, DeineID1, DeineID2, ...)
• Name resolution (Pseudonym → IDAT)
• Handling of temporary pseudonyms
• Batch pseudonymization
• Consent management

This document includes:

1. An introductory example, which presents the key elements of the interface using a typical use case. This section is particularly useful for newcomers as an entry point to working with the interface.
2. A formal specification of the interface, intended as a reference for developers implementing the interface on either the client or server side, and as a comprehensive overview of its functionality. Note: Endpoints tagged as EXPERIMENTAL are subject to change or removal in future releases.

Cite as

For referencing the Mainzelliste interface in publications, you may cite the open-access article published in 2015 in BMC Medical Informatics and Decision Making [1].

License, Distribution, Modification

Mainzelliste is free software; see http://www.mainzelliste.de. The interface specified here is open, meaning its specification is publicly available and may be implemented without our permission. Extensions or modifications are also permitted. However, in the interest of maintaining a consistent interface in the long term, we kindly ask that you discuss any proposed changes with us before distributing modified versions. Until now, we have been able to include all suggestions into this official interface specification.

Resources

The REST paradigm uses the HTTP protocol for communication and processes the following REST resources:

• patients – The patients along with their identifying attributes and identifiers.
• sessions – Represent a user session to group tokens.
• tokens – Represent permissions for accessing functions of the interface.
• jobs - Represent asynchronous job. Batch pseudonymiziation of multiple patients.
• fhir/Consent - Consent fhir resource according to HL7 FHIR R4 specification.
• fhir/Provenance - Provenance fhir resource includes digital signatures and references to pdf scans.
• fhir/DocumentReference - DocumentReference fhir resource containing consent related pdf scans.
• html – Predefined HTML forms for display in a web browser.

Introduction Example

The following example illustrates the basic functionality of the interface. The scenario is as follows:

• A registry is used to pseudonymize and store medical data (MDAT) of study participants. The registry provides a web interface (HTML) through which MDAT, along with the corresponding pseudonym (referred as “ID”), can be submitted. The registry software includes user management and authentication (e.g., via username and password).
• The MDAT is collected from multiple participating clinics. Each clinic holds the identifying data (IDAT) of the registry patients treated at their facility.
• To enable cross-institutional tracking of patients, a central patient list is used for pseudonymization, accessed via the interface described here. Authorized personnel at the clinics enter the patients’ IDAT into the system. The patient list uses a record linkage algorithm to check whether the patient is already registered. If the patient exists, the existing pseudonym is returned. If not, the IDAT is stored and a new pseudonym is generated and returned.

The following describes the case in which a user wants to enter a new patient into the registry software and request a pseudonym for that patient. This process is illustrated in the sequence diagram in Figure 1. The numbers in the following notes refer to steps in this diagram.

Authentication and Authorization

The Mainzelliste interface does not perform separate authentication of individual users, as this is typically handled by another server. In this context, it is assumed that authentication is performed by the web server of the MDAT application (here referred to as the "MDAT server"). The MDAT server authenticates itself to the patient list and issues access tokens to users, thereby implementing a single sign-on (SSO) concept. Steps 1–4 in the sequence diagram illustrate this concept:

1. The user logs into the MDAT server, for example using a username and password or a smartcard certificate. The MDAT server then creates a browser session for the user.
2. The MDAT server creates a session in Mainzelliste. This serves as an extension of the user's browser session across an additional server. The session is created by sending a POST request to the */sessions/* resource of the Mainzelliste. The MDAT server authenticates itself using an access key (which is configured in the patient list), provided via the HTTP header *mainzellisteApiKey*. The session is assigned a unique identifier *{sessionId}* and a resource path */sessions/{sessionId}/*. The full URL of the session is returned to the MDAT server.
3. The user selects the “New Patient” function.
4. To authorize the user to pseudonymize a patient, the MDAT server creates an access token on the patient list. Tokens are represented within a session by the path */tokens/*. A token is created via a POST request to the resource */sessions/{sessionId}/tokens/*. The most important properties of a token are:
   1. Token type (type parameter in the submitted object): This is an identifier that defines the function for which the token is valid. In this case, the type *addPatient* is used, which authorizes pseudonymization of exactly one patient.
   2. Token ID: This identifier uniquely represents the token. To redeem the token (i.e., to invoke a function of the Mainzelliste), only the token ID is required. It is implemented as a sufficiently long random string to prevent collisions and make guessing practically impossible.
   The token is returned as a JSON object, allowing the MDAT server to extract the token ID from the response.

By using access tokens, the Mainzelliste can bypasse the management of individual user accounts. This avoids the duplication of user information, which already exists on the MDAT server, and simplifies the administration of the Mainzelliste by external service providers.

Pseudonymization

The actual pseudonymization must now be performed by the user on a webpage provided by the patient list. Entering identifying data (IDAT) into a form delivered by the MDAT server would violate the strict separation of medical and identifying data, as the MDAT server could potentially access the IDAT. The process proceeds as follows: 5. The MDAT server redirects the user to the /html/createPatient resource of the patient list, for example via an HTTP redirect or a hyperlink. The token ID created in step (4) is appended as a URL parameter tokenID. As response, the patient list serves an HTML form in which the user can enter the identifying data of the new patient. 6. When the form is submitted, the entered data is sent via a POST request to the /patients resource. As in the previous step, the token ID is passed as a URL parameter. To authorize the request, the patient list verifies that a token with this ID exists and is valid (i.e., has not yet been used). 7. The patient list determines a pseudonym for the patient — either an existing one, if a matching patient is already exist, or a new one if the patient is not yet registered. 8. The pseudonym is displayed to the user, who can then record it and use it to enter medical data into the MDAT application.

References

[1] Lablans M, Borg A, Ückert F (2015) A RESTful interface to pseudonymization services in modern web applications. BMC Med Inform Decis Mak 15: 2. doi: 10.1186/s12911-014-0123-5